Updated gdk-pixbuf packages that fix several security flaws are
now available.

The gdk-pixbuf package contains an image loading library used
with the GNOME GUI desktop environment.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

Thomas Kristensen discovered a bitmap file that would cause the
Evolution mail reader to crash. This issue was caused by a flaw
that affects versions of the gdk-pixbuf package prior to 0.20. To
exploit this flaw, a remote attacker could send (via email) a
carefully-crafted BMP file, which would cause Evolution to crash.
The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0111 to this issue.

During testing of a previously fixed flaw in Qt (CAN-2004-0691),
a flaw was discovered in the BMP image processor of gdk-pixbuf. An
attacker could create a carefully crafted BMP file which would
cause an application to enter an infinite loop and not respond to
user input when the file was opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0753 to this issue.

During a security audit, Chris Evans discovered a stack and a
heap overflow in the XPM image decoder. An attacker could create a
carefully crafted XPM file which could cause an application linked
with gtk2 to crash or possibly execute arbitrary code when the file
was opened by a victim. (CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder. An attacker could create a carefully crafted ICO file
which could cause an application linked with gtk2 to crash when the
file is opened by a victim. (CAN-2004-0788)

Users of gdk-pixbuf are advised to upgrade to these packages,
which contain backported patches and are not vulnerable to these
issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www
fedoralegacy.org/docs for directions on how to configure yum and
apt-get.

Zlib is a general-purpose, patent-free, lossless data
compression library which is used by many different programs.

2. Relevant releases/architectures:

Fedora Core 1 - i386

3. Problem description:

Johan Thelmen reported that a specially crafted file can cause a
segmentation fault in zlib as the inflate() and inflateBack()
functions do not properly handle errors. An attacker could
construct a carefully crafted file that could cause a crash or
possibly execute arbitrary code when opened. The specific impact
depends on the application using zlib. The Common Vulnerabilities
and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0797 to this issue.

Users of zlib are advised to upgrade to this errata package,
which contains a backported patch correcting this issue.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www
fedoralegacy.org/docs for directions on how to configure yum and
apt-get.

Updated vim packages that fix multiple vulnerabilities are now
available.

VIM (Vi IMproved) is an updated and improved version of the vi
screenbased editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

Ciaran McCreesh discovered a modeline vulnerability in VIM. It
is possible that a malicious user could create a file containing a
specially crafted modeline which could cause arbitrary command
execution when viewed by a victim. Please note that this issue only
affects users who have modelines and filetype plugins enabled,
which is not the default. The Common Vulnerabilities and Exposures
project has assigned the name CAN-2004-1138 to this issue.

The Debian Security Audit Project discovered an insecure
temporary file usage in VIM. A local user could overwrite or create
files as a different user who happens to run one of the the
vulnerable utilities. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2005-0069 to this issue.

All users of VIM are advised to upgrade to these erratum
packages, which contain backported patches for these issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www
fedoralegacy.org/docs for directions on how to configure yum and
apt-get.

Takumi ASAKI discovered that uim always trusts environment
variables which can allow a local attacker to obtain elevated
privileges when libuim is linked against an suid/sgid application.
This problem is only exploitable in 'immodule for Qt' enabled Qt
applications.